Overview of AD FS

Active Directory Federation Services (AD FS) is a feature
in the Windows Server® 2003 R2, Windows
Server 2008, and Windows Server 2008 R2 operating
systems that provides Web single-sign-on (SSO) technologies to
authenticate a user to multiple, related Web applications over the
life of a single online session. AD FS accomplishes this by
securely sharing digital identity and entitlement rights, or
"claims," across security and enterprise boundaries.

Features in AD FS

In Windows Server 2008 and Windows
Server 2008 R2, AD FS includes new features that
were not available in Windows Server 2003 R2. To
learn more about these new features, see What's New in AD FS
in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=85684).

The following are some of the key features of
AD FS:

Federation and Web SSO

When an organization uses Active Directory Domain Services
(AD DS), it experiences the benefit of SSO functionality
through Windows Integrated Authentication within the organization's
security or enterprise boundaries. AD FS extends this
functionality to Internet-facing applications. This makes it
possible for customers, partners, and suppliers to have a similar,
streamlined, Web SSO user experience when they access the
organization’s Web-based applications. Furthermore, federation
servers can be deployed in multiple organizations to facilitate
business-to-business (B2B) federated transactions between partner
organizations. For more information about AD FS federation,
see Understanding Federation
Designs.

Web Services (WS)-* interoperability

AD FS provides a federated identity management solution that
interoperates with other security products that support the WS-*
Web Services Architecture. AD FS does this by employing the
federation specification of WS-*, called WS-Federation. The
WS-Federation specification makes it possible for environments that
do not use the Microsoft® Windows® identity model to federate with
Windows environments. For more information about WS-*
specifications, see Resources for AD
FS.

Extensible architecture

AD FS provides an extensible architecture that supports the
Security Assertion Markup Language (SAML) 1.1 token type and
Kerberos authentication (in the Federated Web SSO with Forest Trust
design). AD FS can also perform claim mapping, for example,
modifying claims using custom business logic as a variable in an
access request. Organizations can use this extensibility to modify
AD FS to coexist with their current security infrastructure
and business policies. For more information about modifying claims,
see Understanding
Claims.

Extending AD DS to the Internet

AD DS serves as a primary identity and
authentication service in many organizations. With
Windows Server 2003 Active Directory and Windows
Server 2008 and Windows Server 2008 R2 AD DS,
forest trusts can be created between two or more
Windows Server 2003, Windows Server 2008, or Windows
Server 2008 R2 forests to provide access to resources
that are located in different business units or organizations. For
more information about forest trusts, see How Domain and Forest
Trusts Work (http://go.microsoft.com/fwlink/?LinkId=35356).

However, there are designs in which forest trusts are
not a viable option. For example, access across organizations may
have to be limited to only a small subset of individuals, not every
member of a forest.

By employing AD FS, organizations can extend their
existing Active Directory infrastructures to provide access to
resources that are offered by trusted partners across the Internet.
These trusted partners can include external third parties or other
departments or subsidiaries in the same organization.

AD FS supports distributed authentication and
authorization over the Internet. AD FS can be integrated into
an organization's or department’s existing access management
solution to translate the claims that are used in the organization
into claims that are agreed on as part of a federation. AD FS
can create, secure, and verify the claims that move between
organizations. It can also audit and monitor the communication
activity between organizations and departments to help ensure
secure transactions.